Weak BYOD Security Endangering Company Data

Businesses are in danger of data breaches without informing employees of BYOD security policies and best practices.

As more employees bring their smartphones, tablets and notebooks to work and businesses implement bring your own device (BYOD) initiatives to increase worker productivity, they may also be putting corporate data at risk due to a lack of adequate security controls and employee education, according to a survey of 400 non-IT department individuals in a variety of industries across North by Coalfire, an IT governance, risk and compliance (IT GRC) services company.

The majority of individuals are still using unsafe methods when it comes to mobile device security, especially when it comes to how they store passwords. The survey found nearly half (47 percent) of respondents have no passcode on their mobile phone, even though 84 percent of individuals stated they use the same smartphone for personal and work usage. Worryingly, 36 percent said they reuse the same password, 60 percent of respondents said they are still writing down passwords on a piece of paper.

"The BYOD trend is not slowing down, and while it has many benefits, it s also introducing a number of new security risks that may be foreign to many companies," Rick Dakin, CEO and chief security strategist with Coalfire, said in a prepared statement. "The results of this survey demonstrate that companies must do much more to protect their critical infrastructure as employees work from their own mobile devices, such as tablets and smartphones, in the workplace. Companies need to have security and education policies in place that protect company data on personal devices."

The survey suggested businesses are still lacking when it comes to educating employees on mobile security risks. Nearly half of all respondents (49 percent) of respondents said their IT departments have not discussed mobile security or cybersecurity with them, and 51 percent of respondents stated their companies do not have the ability to remotely wipe data from mobile devices if they are locked or lost. Only 25 percent reported a discussion from IT about mobile security, suggesting 75 percent were left to their own best judgment.

The report also inidcates IT departments are also failing to communicate the policies they do have with employees, with 61 percent of respondents saying they had no knowledge of a social media policy, while 62 percent said the same about policies for mobile device usage. Smartphone users are also engaging in risky behavior, with 30 percent of respondents acknowledging that they have access to sensitive information, and another 16 percent unsure if they even have such access. These responses were similar to what we heard from tablet users (34 percent and 13 percent, respectively).

"In contrast, Coalfire s audits typically show at least some IT support for mobile devices, and we commonly see policies that allow IT to de-activate and erase the data on lost devices," the report concluded. "However, employees do not seem to be aware of this: only 21 percent of smartphone users knew that IT could wipe their phones. It seems that the mobile device management (MDM) technology is well ahead of the communication efforts at many organizations."